CrowdStrike’s Annual Threat Report Reveals Uptick Around Ransomware and Disruptive Operations; Exposes Evolution of eCrime Ecosystem
February 15, 2022CrowdStrike announced the release of the 2022 CrowdStrike Global Threat Report, which details an 82% increase in ransomware-related data leaks, debuts two new adversaries – WOLF (Turkey) and OCELOT (Colombia) – and adds 21 new tracked adversaries across the globe. The 8th annual Global Threat Report also outlines new operations and techniques from the Big Four: Iran, China, Russia and North Korea, breaks down the aftermath of the Log4Shell attacks and shows adversaries are moving beyond malware, as 62% of recent detections were malware-free.
The landmark CrowdStrike Intelligence report documents both the continued evolution of nation-state affiliated and criminal adversaries, as well as the increased sophistication, velocity and impact of targeted ransomware, disruptive operations and cloud-related attacks in 2021. Key findings in this year’s report give organizations the insight required to mature their security strategies and defend their businesses against prolific cyber threats.
Nation-State and Criminal Groups Continue to Expand
The 2021 threat landscape became more crowded as new adversaries emerged. CrowdStrike Intelligence today tracks more than 170 in total. Notable adversary updates include:
- Financially motivated eCrime activity continues to dominate the interactive intrusion attempts tracked by CrowdStrike OverWatch. Intrusions attributed to eCrime accounted for nearly half (49%) of all observed activity.
- Iran-based adversaries adopt the use of ransomware as well as “lock-and-leak” disruptive information operations – using ransomware to encrypt target networks and subsequently leak victim information via actor-controlled personas or entities.
- In 2021, China-nexus actors emerged as the leader in vulnerability exploitation and shifted tactics to increasingly targeting internet-facing devices and services like Microsoft Exchange. CrowdStrike Intelligence confirmed China-nexus actor exploitation of 12 vulnerabilities published in 2021.
- Russia-nexus adversary COZY BEAR expands its targeting of IT to cloud service providers in order to exploit trusted relationships and gain access to additional targets through lateral movement. Additionally, FANCY BEAR increases the use of credential-harvesting tactics, including both large-scale scanning techniques and victim-tailored phishing websites.
- The Democratic People’s Republic of Korea (DPRK) targeted cryptocurrency-related entities in an effort to maintain illicit revenue generation during economic disruptions caused by the COVID-19 pandemic.
- eCrime actors – including affiliates of DOPPEL SPIDER and WIZARD SPIDER – adopted Log4Shell as an access vector to enable ransomware operations. State-nexus actors, including NEMESIS KITTEN (Iran) and AQUATIC PANDA (China), were also affiliated with probable Log4Shell exploitation before the end of 2021.
Adversary Tradecraft Becomes More Sophisticated
The report highlights that the startling growth and impact of targeted ransomware, disruptive operations and an uptick in cloud-related attacks in 2021 was a palpable force felt across nearly every industry and in every country.
- CrowdStrike Intelligence observed an 82% increase in ransomware-related data leaks in 2021, with 2,686 attacks as of December 31, 2021, compared to 1,474 in 2020.
- The CrowdStrike eCrime Index (ECX) depicts that ransomware attacks were highly lucrative spanning all of 2021.The ECX displays the strength, volume and sophistication of the cybercriminal market, and is updated weekly based on 20 unique indicators of criminal activity, tracking things like Big Game Hunting victims, data leaks, and ransom demands. Over the course of 2021, CrowdStrike’s ECX noted the following:
- CrowdStrike observed 2,721 Big Game Hunting incidents last year.
- CrowdStrike Intelligence saw on average over 50 targeted ransomware events per week.
- Observed ransomware-related demands averaged $6.1 million per ransom, up 36% from 2020.
- Adversaries are increasingly exploiting stolen user credentials and identity to bypass legacy security solutions – of all detections indexed in the fourth quarter of 2021, 62% were malware-free.
“As cyber criminals and nation-states around the world continue to adapt in the changing, interconnected landscape, it’s critical that businesses evolve to defend against these threats by integrating new technologies, solutions and strategies,” said Adam Meyers, senior vice president of Intelligence at CrowdStrike. “The CrowdStrike Falcon platform, powered by the world class intelligence that informs this annual report, offers the full suite of tools necessary to deliver hyper-accurate detections, automated protection and the remediation needed to stop threats in their tracks. The annual Global Threat Report paints a picture that shows enterprise risk is coalescing around three critical areas: endpoints and cloud workloads, identity and data, and provides a valuable resource for organizations looking to bolster their security strategy.”
Download the 2022 CrowdStrike Global Threat Report.